How to share sensitive information safely?

“The information scandal at Facebook, new European privacy legislation with an impact on large corporations and your local football club, lists of passwords being published online – data protection is now in the news more often than ever before”, Thijs Veugen – a senior researcher at TNO and part-time seconded in CWI’s Cryptology group – says. He recently wrote a blog on this topic that also appeared on the TNO website. “What should a company do if it wants to share information? There are more options than you might think. These involve innovative and highly secure techniques that form the basis of secure multi-party computation.”

Veugen says: “Imagine you want to calculate a quality benchmark in a specific sector, without allowing competing companies to access each other’s data. Or that you are sharing the results of clinical trials involving new medicines or treatments, so several different parties can work together to ensure that healthcare progresses more quickly and cheaply. Secure multi-party computation makes this possible, while maintaining privacy and protecting the interests of each party involved.

In today’s big-data era, it is becoming increasingly important to analyse data from a range of sources. Linking databases together can improve decision-making processes, facilitate more thorough research (and market research), and lead to more highly personalized products and services. In short, new revenue models and greater impact through the enrichment of data.

Sensitive data
There is more to data protection than privacy and personal data. For example, companies want to prevent commercially sensitive information falling into the wrong hands. Then there is the Dutch Ministry of Defence, which often takes part in international missions. The countries and organizations involved may not want to share their data, but they will all benefit from a collectively generated scenario of the mission area.

GDPR
Thus, it is important to strike a balance between the need to protect sensitive information and the desire to share information with other parties. In addition, the processing of personal data will soon be subject to increased regulation – by the new European General Data Protection Regulation (GDPR). This Regulation will impose additional legal obstacles to the linking of data, with effect from 25 May 2018.

Secure multi-party computation
A range of innovative solutions are now available to tackle this problem. Secure multi-party computation enables several different parties to jointly run computations on data, just as if they were using a shared database. At the same time, they can never access each other’s data with any degree of mathematical certainty. Organizations can use this ‘toolbox’ to securely link the most sensitive databases together. This clears the way for all kinds of new products and services.

Linking databases securely
Major market players like Google long ago discovered the power of secure multi-party computation. For example, they use their database to keep track of who clicked which sponsored links. Until recently, however, they did not know whether these visitors actually went on to make a purchase. Now, thanks to this new technology, Google can securely link its database to suppliers’ databases and calculate the actual value of its advertisements in the real world. This is just one example of how commercially sensitive data can be shared safely and efficiently.

Danish banks have used a similar approach to assess the creditworthiness of agricultural businesses. They enriched their data with domain expertise from an independent consultancy, without actually viewing that external data.

New world of applications
Good news: there has been a recent spurt in the development of important techniques based on secure multi-party computation, and they are now ready for use in practice. In mere seconds, Google can scan millions of records and find out how many of them occur in both databases. This opens up a whole new world of applications. IT specialists and cyber security experts from TNO are cooperating with staff from the Centrum Wiskunde & Informatica (the Netherlands’ national research institute for mathematics and computer science) in Amsterdam and other organizations. They are working on applications for the financial and medical sectors, such as industry benchmarking and medical research results.”

This blog, written by Thijs Veugen (TNO), was published earlier (26 April 2018) on the TNO website.
Thijs Veugen wrote a column on data protection with secure multi-party computation. Picture: TNO

Author
CWI
CWI is the national research institute for mathematics and computer science in the Netherlands and is an institute of the Netherlands Organisation for Scientific Research (NWO)